sectask/SecEntitlements.h

   1 /*
   2  * Copyright (c) 2008-2010,2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 /* This file contains the names of all known entitlements currently
  26    in use on the system. */
  27
  28 #ifndef _SECURITY_SECENTITLEMENTS_H_
  29 #define _SECURITY_SECENTITLEMENTS_H_
  30
  31 #include <CoreFoundation/CFString.h>
  32
  33 __BEGIN_DECLS
  34
  35 /* Allow other tasks to get this task's name port. This is needed so the app
  36    can be debugged. */
  37 #define kSecEntitlementGetTaskAllow CFSTR("get-task-allow")
  38
  39 /* The identifier of this application, typically the same as the
  40  CFBundleIdentifier. On iOS, the identifier is prefixed with the team-id and
  41  for some uses, the same applies to macOS.
  42
  43  This is used as the default access group for any keychain items this
  44  application creates and accesses unless there is a
  45  keychain-access-group-entitlement.
  46
  47  Note that iOS and macOS uses different value for the same constant.
  48  */
  49
  50 #if TARGET_OS_IPHONE
  51 #define kSecEntitlementApplicationIdentifier CFSTR("application-identifier")
  52 #else
  53 #define kSecEntitlementAppleApplicationIdentifier CFSTR("com.apple.application-identifier")
  54 #define kSecEntitlementApplicationIdentifier kSecEntitlementAppleApplicationIdentifier
  55 #endif
  56
  57 /* Marzipan apps distributed through the App Store cannot share an application
  58    identifier with their iOS versions, so they have an associated application
  59    identifier which matches the iOS identifier. It will be preferred, when
  60    present, over the 'regular' application identifier. This avoids developers
  61    having to jump through hoops to port iOS apps to the Mac. */
  62 #define kSecEntitlementAssociatedApplicationIdentifier CFSTR("com.apple.developer.associated-application-identifier")
  63
  64 /* The value should be an array of strings.  Each string is the name of an
  65    access group that the application has access to.  The
  66    application-identifier is implicitly added to this list.   When creating
  67    a new keychain item use the kSecAttrAccessGroup attribute (defined in
  68    <Security/SecItem.h>) to specify its access group.  If omitted, the
  69    access group defaults to the first access group in this list or the
  70    application-identifier if there is no keychain-access-groups entitlement. */
  71 #define kSecEntitlementKeychainAccessGroups CFSTR("keychain-access-groups")
  72
  73 /* The value should be an array of strings.  Each string is the name of an
  74    access group that the application has access to.  The first of
  75    kSecEntitlementKeychainAccessGroups,
  76    kSecEntitlementApplicationIdentifier or
  77    kSecEntitlementAppleSecurityApplicationGroups to have a value becomes the default
  78    application group for keychain clients that don't specify an explicit one. */
  79 #define kSecEntitlementAppleSecurityApplicationGroups CFSTR("com.apple.security.application-groups")
  80
  81 #define kSecEntitlementNetworkExtensionAccessGroups CFSTR("com.apple.networkextension.keychain")
  82
  83 /* Boolean entitlement, if present the application with the entitlement is
  84    allowed to modify the which certificates are trusted as anchors using
  85    the SecTrustStoreSetTrustSettings() and SecTrustStoreRemoveCertificate()
  86    SPIs. */
  87 #define kSecEntitlementModifyAnchorCertificates CFSTR("modify-anchor-certificates")
  88
  89 #define kSecEntitlementDebugApplications CFSTR("com.apple.springboard.debugapplications")
  90
  91 #define kSecEntitlementOpenSensitiveURL CFSTR("com.apple.springboard.opensensitiveurl")
  92
  93 /* Boolean entitlement, if present allows the application to wipe the keychain
  94    and truststore. */
  95 #define kSecEntitlementWipeDevice CFSTR("com.apple.springboard.wipedevice")
  96
  97 #define kSecEntitlementRemoteNotificationConfigure CFSTR("com.apple.remotenotification.configure")
  98
  99 #define kSecEntitlementMigrateKeychain CFSTR("migrate-keychain")
 100
 101 #define kSecEntitlementRestoreKeychain CFSTR("restore-keychain")
 102
 103 /* Entitlement needed to call SecKeychainSyncUpdate SPI. */
 104 #define kSecEntitlementKeychainSyncUpdates CFSTR("keychain-sync-updates")
 105
 106 /* Boolean entitlement, if present you get access to the SPIs for keychain sync circle manipulation */
 107 #define kSecEntitlementKeychainCloudCircle CFSTR("keychain-cloud-circle")
 108
 109 /* Boolean entitlement, if present you get access to the SPIs for keychain initial sync */
 110 #define kSecEntitlementKeychainInitialSync CFSTR("com.apple.private.security.initial-sync")
 111
 112 /* Associated Domains entitlement (contains array of fully-qualified domain names) */
 113 #define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains")
 114
 115 /* Entitlement needed to call swcd and swcagent processes. */
 116 #define kSecEntitlementPrivateAssociatedDomains CFSTR("com.apple.private.associated-domains")
 117
 118 /* Entitlement to control usage of system keychain */
 119 #define kSecEntitlementPrivateSystemKeychain CFSTR("com.apple.private.system-keychain")
 120
 121 /* Entitlement to control usage of syncbubble keychain migration */
 122 #define kSecEntitlementPrivateKeychainSyncBubble CFSTR("com.apple.private.syncbubble-keychain")
 123
 124 /* Entitlement to control usage of system keychain migration */
 125 #define kSecEntitlementPrivateKeychainMigrateSystemKeychain CFSTR("com.apple.private.migrate-musr-system-keychain")
 126
 127 /* Entitlement to control usage of system keychain migration */
 128 #define kSecEntitlementPrivateNetworkExtension CFSTR("com.apple.developer.networking.networkextension")
 129
 130 /* Entitlement to control usage of deletion of keychain items on app uninstallation */
 131 #define kSecEntitlementPrivateUninstallDeletion CFSTR("com.apple.private.uninstall.deletion")
 132
 133 /* Entitlement to control usage of deletion of keychain items wholesale */
 134 #define kSecEntitlementPrivateDeleteAll CFSTR("com.apple.private.security.delete.all")
 135
 136 /* Entitlement to allow access to circle joining APIs in SOSCC */
 137 #define kSecEntitlementCircleJoin CFSTR("com.apple.private.keychain.circle.join")
 138
 139 /* Entitlement to deny use of keychain APIs, only effective on iOS keychain */
 140 #define kSecEntitlementKeychainDeny CFSTR("com.apple.private.keychain.deny")
 141
 142 /* Entitlement to control use of keychain certificate fetching functions */
 143 #define kSecEntitlementPrivateCertificateAllAccess CFSTR("com.apple.private.keychain.certificates")
 144
 145 /* Entitlement to control use of CKKS */
 146 #define kSecEntitlementPrivateCKKS CFSTR("com.apple.private.ckks")
 147
 148 /* Entitlement to allow manipulation of backup keybags in keychain table */
 149 #define kSecEntitlementBackupTableOperations CFSTR("com.apple.private.keychain.backuptableops")
 150
 151 /* Entitlement to allow use of CKKS plaintext fields */
 152 #define kSecEntitlementPrivateCKKSPlaintextFields CFSTR("com.apple.private.ckks.plaintextfields")
 153
 154 /* Entitlement to allow use of CKKS 'current item' changing SPI */
 155 #define kSecEntitlementPrivateCKKSWriteCurrentItemPointers CFSTR("com.apple.private.ckks.currentitempointers_write")
 156
 157 /* Entitlement to allow use of CKKS 'current item' reading SPI */
 158 #define kSecEntitlementPrivateCKKSReadCurrentItemPointers CFSTR("com.apple.private.ckks.currentitempointers_read")
 159
 160 /* Entitlement to allow use of sysbound field */
 161 #define kSecEntitlementPrivateSysBound CFSTR("com.apple.private.keychain.sysbound")
 162
 163 #define kSecEntitlementBackupTableOperationsDeleteAll CFSTR("com.apple.private.keychain.backuptableops.deleteall")
 164
 165 /* Entitlement to allow executing keychain control actions */
 166 #define kSecEntitlementKeychainControl CFSTR("com.apple.private.keychain.keychaincontrol")
 167
 168 #if __OBJC__
 169 /* Entitlement to control use of OT */
 170 #define kSecEntitlementPrivateOctagon @"com.apple.private.octagon"
 171
 172 /* Entitlement to control use of Escrow Update */
 173 #define kSecEntitlementPrivateEscrowRequest @"com.apple.private.escrow-update"
 174 #endif
 175
 176 __END_DECLS
 177
 178 #endif /* !_SECURITY_SECENTITLEMENTS_H_ */